As noted, clearly I was doing it wrong:
$ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip
--option=maxelem:131072
should be:
$ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip
--option=maxelem=131072
"=" not ";". That corrected my syntax issue. I was still running
into the maxelem limit. My blacklist is a mix of IPs and networks. Doing a broader
search, I ran across a post at centos forums
(
https://www.centos.org/forums/viewtopic.php?t=8268). The gist being hash:ip seems to
expand networks (like 192.168.1.0/24) into all the addresses in the network. hash:net is
much more efficient for networks. So I now have a blacklist-ip list and blacklist-net
list (one hash:ip, one hash:net).
That seems to have solved my dilemma.
-David